NL1010921C2 - Encryption system for digital data, uses secondary key to mask primary key, is more difficult to decrypt by Brute Force Attack than data encrypted with conventional single key - Google Patents

Abstract

The unencrypted data (X) is fed to a cryptographic processor (P) where is encrypted by a primary key (K) to produce the encrypted output (Y). The processor is of the 'Data Encryption Standard type. In the present system, the primary key (K) is produced by another processor (Pasterisk) which is itself fed with a secondary key (Kasterisk) and an ancillary key (K').

Description

%

Title: Method and device for cryptographically processing data.

BACKGROUND OF THE INVENTION

The invention relates to a method for cryptographically processing data, comprising supplying values, namely the data and a key, to a cryptographic process, and executing the process to form cryptographically processed data. Such a method is known in practice.

In practice, generally known processes are often used for cryptographic processing of data. Examples of such cryptographic processes (algorithms) are DES and RSA, which are described, for example, in the book "Applied Cryptography" by B. Schneier (2nd edition), New York, 1996.

These processes are published because it was believed that, if the key length is sufficiently long, it would be impracticable to retrieve the original data and / or the key from the processed data, even if the cryptographic process was known.

However, attacks based on knowledge of the cryptographic process have recently been discovered. In other words, because the behavior of the process is known, it becomes considerably easier, in certain attacks, to retrieve the key used and / or the original data. It will be clear that this is undesirable.

SUMMARY OF THE INVENTION

The object of the invention is to solve the above-mentioned problem by indicating a method and circuit for executing a cryptographic process which makes the retrieval of the key considerably more difficult or even impracticable when using a known (i.e. public) cryptographic process. According to the invention, a method of the type mentioned in the preamble is characterized for this purpose by adding auxiliary values to the process in order to mask the values used in the process.

By masking the data and / or key (s) it becomes considerably more difficult to retrieve these values on the basis of the behavior of the process. The result of the process, i.e. the set of edited data, can be unchanged with a suitable selection of the 1 0 1 GO 2 1 2 auxiliary values, i.e. identical to the result of the process if no auxiliary values have been added to it . In this connection, an "auxiliary value" is understood to mean a value (data or key), which is added to the process in addition to the corresponding data and key.

The invention is therefore based on the insight that the conversion of the values used in a cryptographic process is considerably complicated if these values are masked by means of auxiliary values.

The invention is partly based on the further insight that the use of auxiliary values does not necessarily influence the result of the process.

In a first embodiment of the invention, an auxiliary value comprises an additional key which is supplied to an additional process to form the key.

By applying a combination of a known process and an additional process, a new, per se unknown cryptographic process is formed, even if the additional process is also known per se.

By deriving the key (primary key) used for the known process from an additional key (secondary key) by means of an additional process, it is achieved that not the (primary) key of the known process but the additional (secondary) key is offered to the combination of processes.

In other words, externally the additional (secondary) key is used and not the actual (primary) key of the actual process. Deriving the key from the original data and the edited data has therefore become impossible. It is also very difficult to derive the additional key, because the combination of the original process and the additional process is not known.

This embodiment of the invention is therefore based, inter alia, on the insight that the knowledge of a cryptographic process is undesirable, contrary to what has hitherto been assumed. This embodiment is also based on the further understanding that attacks that build on knowledge of the process become considerably more difficult if the process is unknown.

Preferably, the additional process comprises a cryptographic 1 'N- · 1 ^. · 1 ^ 3 process. This makes it easier to trace the additional key. In principle, for example, simple coding can be used as an additional process. An auxiliary key is preferably used in a cryptographic process.

Advantageously, the additional process is an invertible process.

This makes it possible to apply the method according to the invention to existing equipment with minimal changes. For example, if a first device issues an (additional) key which is used in a second device according to the invention, in the first Device the inverse of the additional process can be used to derive the additional key from the original key. In other words, although in both the first and the second device the original (primary) key is used internally, the additional (secondary) key is exchanged between the devices. However, interception of the additional key does not lead to knowledge of the original key,

It may be advantageous if the additional process takes place only if the data has predetermined properties. In this way, cryptographic editing can be performed only for certain, selected data, while it is blocked for all other data. In this way, additional protection is achieved.

Optimal security is provided if the process and the additional process are each composed of a number of steps, and in which steps of the Tiet process and the additional process are alternately carried out. This further obscures the properties of the known process, making it even more difficult to trace back the keys.

In a second embodiment of the invention, the process comprises a number of stages, each with a cryptographic operation for processing first data derived from the data and a combining operation for combining the processed first data with data derived second data to form third data in which the first data are each time combined with a first auxiliary value. This makes it possible to mask the data used in the cryptographic operation.

Preferably, the edited first data is always combined 1 π ·: o o i

E i> U w tAi E

4 with a second auxiliary value. This makes it possible to mask the third data.

Advantageously, the second auxiliary value of a stage is formed from the combination of the first auxiliary value of the previous stage and the first auxiliary value of the next stage. This makes it possible to compensate the first auxiliary value in the subsequent stage, so that this first auxiliary value will not affect the final result of the process. A further masking of all data, in particular in the first stage, is achieved if the first auxiliary value of the first stage is also combined with the second data.

It is possible to carry out the method according to the invention in such a way that all first aid values are equal. This makes a very simple practical realization possible. However, the use of different auxiliary values, which are preferably random numbers, offers greater cryptographic security.

A further simplification of this embodiment can be obtained if the first auxiliary values and / or second auxiliary values are each time combined in advance with the respective operation. That is, combining with auxiliary values is processed in the respective operation (eg, a substitution), so that the result of the respective operation is equal to that of the original operation plus one or two auxiliary value combination operations. By including the combination operations in the machining in advance, a simpler and faster practical realization is possible.

The said combination operations are preferably performed by means of an exclusive or operation. However, other combination operations, such as binary addition, are also possible in principle.

The invention further provides a circuit for performing a method of cryptographically processing data. The invention also provides a payment card and a payment terminal which are provided with such a circuit.

The invention will be explained in more detail below with reference to illustrative embodiments shown in the figures.

35

BRIEF DESCRIPTION OF THE DRAWINGS

Fig. 1 schematically shows a prior art cryptographic process.

i o i o:. 2 i 5

Fig. 2 schematically shows a first cryptographic process according to a first embodiment of the invention.

Fig. 3 schematically shows a second cryptographic process according to a first embodiment of the invention.

FIG. 4 schematically shows a way in which the processes of FIG.

1 and 2 can be performed.

Fig. 5 schematically shows a first cryptographic process according to a second embodiment of the invention.

Fig. 6 schematically shows a second cryptographic process 10 according to a second embodiment of the invention.

Fig. 7 schematically shows a circuit in which the invention is applied.

Fig. 8 schematically shows a payment system in which the invention is applied.

15

PREFERRED EMBODIMENTS

A (cryptographic) process P according to the prior art is schematically shown in figure 1. Input data X and a key K are applied to the process P. Using the key 20 K, the process P converts the input data X into (cryptographically) processed output data Y: Y = PR (X). Process P can be a known cryptographic process, such as DES (Data Encryption Standard), triple DES, or RSA (Rivest, Shamir & Adleman).

If the input data X and the output data Y are known, it is in principle possible to retrieve the key K used. With a key of sufficiently long length (i.e., a sufficiently large number of bits), it has hitherto been considered impossible to retrieve this key, even if the process P was known. Impossible in this case means that while it is theoretically possible, for example by trying all possible keys, to find out the key used, this requires an unusually long computing time.

Such a brute force attack is therefore hardly a threat to cryptographic security.

Recently discovered attacks, however, use knowledge of the process, which can drastically reduce the number of possible keys. This enables the used key K and / or the input data X to be derived from the output data Y within acceptable calculation times.

,, /.-v ~ λ r ·. 1 J; ; · «} - i y I

I {J i ^ w 4.- »« 6

The principle of the invention, which aims at making such attacks considerably more difficult and time-consuming, is schematically shown in Fig. 2. As in Fig. 1, a (known) process P is supplied with input data X and a (secret) key K to generate 5 output data Y.

In contrast to the situation of Fig. 1, in the situation of Fig. 2, the key K is supplied from an additional process P * to the process P. The additional process P * has an additional (secondary) key K * as input data to produce, under the influence of an auxiliary key K ', the (primary) key K as output data. Thus, as in the situation of Fig. 1, the key K is not supplied from an external source (for example a memory) to the process P, but is generated by the process P * from the additional (secondary) key K *: 15 K - P * K, (K)

Thus, it is the secondary key K * instead of the primary key K which is predetermined and stored, for example, in a key memory (not shown). In accordance with the invention, the primary key K supplied to the process P is not predetermined.

The auxiliary key K 'may be a permanently stored predetermined key. It is also possible to use an additional process P * in which no auxiliary key K 'is used.

The combination of the processes P and P * forms a new process, which is schematically indicated as Q. The process Q, which is unknown per se because of the additional process P *, becomes the input data X and the (secondary) key K * supplied to produce the output data Y. The relationship between the secondary key K * and the primary key K is obscured by the additional process P *.

The additional process P * is preferably the inverse of another invertible process R. That is, P * - R-1.

This makes it possible to generate the secondary key K * with the aid of R and the auxiliary key K 'from the primary key K: 35 K * = RK, (K), as will be explained in more detail later with reference to Figure 5. Optionally, the new process Q can be extended with the process R, so that the primary key K is fed to the process Q instead of the secondary key K *. In that case, the primary key K is derived in the process Q from: K = P * K, (K *) = P * k, (rk · (K)).

This makes it possible to use the same (primary) key as in the prior art.

The cryptographic process according to the invention schematically shown in Fig. 3 also comprises a process P with a primary key K and an additional process P * with an auxiliary key K ', wherein the primary key K by the additional process P * from the additional key K * is derived. In addition to the process of Fig. 1, in this case the input data X is also supplied to the additional process P *, so that the primary key K is determined partly in dependence on the input data X: K - P * K, (K *, X) 15 This provides additional cryptographic protection. In addition, this offers the possibility to execute the additional process P * only if certain input data are offered. That is, the additional process P * may include a test of the input data X and the execution of the additional process P * may depend on the result of that test. For example, the additional process P * can only be performed if the last two bits of the input data X are equal to zero. The effect of such an input data-dependent operation is that only for certain input data X the correct primary key K will be produced, so that only those input data yield the desired output data Y. It will be clear that this further enhances cryptographic security.

Fig. 4 schematically shows the manner in which partial steps of processes P and P * can be performed alternately (interleaving) in order to further increase the protection against attacks. The sub-steps can comprise so-called "rounds", as is the case with DES, for example. Preferably, however, the sub-steps comprise only one or a few instructions from a program with which the processes are executed.

In a first step 101, a first sub-step Pj of the process P is performed. Then, in a second step 102, the first sub-step Pj * of the additional process P * is performed. Likewise, in a third step 103, the second sub-step P2 of the process P is carried out. c ·. O 1 1 Ü \> J <3 * 8 etc. This continues until in step 110 the last sub-step Pn * of the additional process P * has been carried out, for the sake of the example it is assumed that the processes P and P * have the same include sub-steps. If not, the last corresponding sub-step is performed in step 110, and the remaining sub-steps are performed in further steps.

By alternating the sub-steps of the process P known per se and the (possibly also known per se) process P *, a series of sub-steps can be obtained which does not correspond to that of a known process. This makes the nature of the process more difficult to recognize.

The cryptographic process schematically shown in Fig. 5 comprises a number of stages S (S1 (S2 ......). In each stage S, first data FD is supplied to a cryptographic operation F. This cryptographic operation can itself be a number of sub-stages include, such as an expansion, a combination with a key, a substitution, and a permutation. The cryptographic operation F provides processed first data FD ', which are combined in a second operation C (C2, C2 .....) with second data SD to third data TD, which, like the first 20 data FD, are passed to the next stage The first and second data are derived in a preliminary operation PP from input data X and may undergo a preliminary permutation. processed data Y of the method, optionally after it has undergone final processing, such as an output permutation As shown in Fig. 5, at the end of each stage S, the third data TD and d The first data FD of position so that it forms the first data FD and second data SD of the next stage, respectively.

In accordance with the invention, the data contained in and between stages 30 are masked with auxiliary values. Thus, in the stage S2, an additional first combination operation ACj is present which combines the first data FD2 with a first auxiliary value Aj before this data is supplied to the cryptographic operation F. Furthermore, an additional combination operation BC2 is inserted between the cryptographic operation 35 F and the combination operation C2 for the purpose of combining the processed first data FD'2 with a second auxiliary value B2. Preferably, all combination operations are exclusive-of-operations.

Combining the first data FD2 with the first auxiliary value A.

Λ Ο: ’'-)'} i» '<.. ·' j * 9 causes the data processed in the cryptographic operation F to be masked. Combining with the second auxiliary value B results in further masking.

In accordance with a further aspect of the invention, the auxiliary values A and B are related. The second auxiliary value B is preferably formed by means of an exclusive-or-operation from the first auxiliary value Aj of the previous stage and the first auxiliary value A of the next stage. As a result, the first auxiliary value A is each time compensated in the next step. The first auxiliary value 10, however, has an effect in the third data TD, so that it remains masked between two stages. In the first stage Sj, the second auxiliary value Bj is preferably equal to the first auxiliary value A2 of the second stage S2>

In the process of Fig. 6, which largely corresponds to that of Fig. 5, the combining operations AC and BC with the cryptographic operation are combined into a combined operation F '. Integration of the combination operations is possible, for example, by appropriately adjusting a substitution table of the operation F. As a result, the additional combination operations AC and BC can be omitted.

Fig. 7 schematically shows a circuit 10 for implementing the method according to the invention. The circuit 10 comprises a first memory 11, a second memory 12 and a processor 13, the memories 11 and 12 and the processor 13 being coupled by means of a data bus 14. By providing two memories, it is possible to perform a partial step of one of the processes P and P * in each case (see Fig. 4), to store the result of that partial step in, for example, the first memory 11, and from the second memory 12 transfers a previous intermediate result from the other process 30 to the processor 13. In this way it is possible to efficiently carry out the alternating calculation of sub-steps of two different processes.

The payment system schematically shown in Fig. 8 comprises an electronic payment means 1 and a payment station 2. The electronic payment means 1 is for instance a so-called "smart card", i.e. a card which is provided with an integrated circuit for storing and processing payment data. The payment station 2 comprises a card reader 21 and a processor circuit 22. The i Π 1 Π · !; 9 i s U s u *.> C. 10 processor circuit 22 may correspond to circuit 10 of FIG.

5.

At the beginning of a transaction, the payment means 1 transfers an identification (card identification) ID to the payment station 2.

5 On the basis of this identification, the payment station 2 determines a key that will be used for this transaction. This identification ID can be applied as input data X (see Figures 1-3) to a cryptographic process which produces an identification-dependent transaction key KID 10 as output data Y on the basis of a master key MK. In accordance with the invention, the process shown in Figures 2 and 3 is used for this purpose, in which the master key MK is previously converted into an additional master key MK * by means of a process R. This additional master key MK * is now fed, preferably together with the identification ID 15 of Figure 3, to the additional process P * in order to reproduce the original master key MK and derive the transaction key KID from the identification ID.

Although a single additional process P * is always shown in Figures 2 and 3, multiple processes P *, P **, P ***, .., 20 may be used in series and / or parallel to form the primary key K to distract.

It will be clear to those skilled in the art that many modifications and additions are possible without departing from the scope of the invention.

1 0 1 i) é 2 1

Claims (19)

1 Q 1 ü c) 2 1 (A) of the first stage is also combined with the second data (SD). A method for cryptographically processing data, comprising supplying values, i.e. the data (X) and a key (K), to a cryptographic process (P), and executing the process (P) 5 to perform cryptographically processed data (Y), characterized by adding auxiliary values (K *; A, B) to the process (P) to mask the values (K; D) used in the process (P). The method of claim 1, wherein an auxiliary value comprises an additional key (K *) which is supplied to an additional process (P *) 10 to form the key (K). The method of claim 2, wherein the additional process (P *) comprises a cryptographic process to which an auxiliary key (K ') is applied. Method according to claim 2 or 3, wherein the additional process (P *) is an invertible process. The method of claim 2, 3 or 4, wherein the data (X) is also supplied to the additional process (P *). Method according to claim 5, wherein the execution of the additional process (P *) only takes place if the data (X) 20 have predetermined properties. A method according to any one of claims 2-6, wherein the process (P) and the additional process (P *) are each composed of a number of steps, and in which steps of the process (P) and the additional process (P) alternate *) are carried out. A method according to any preceding claim, wherein the process (P) comprises a plurality of steps (S) each having a cryptographic operation (F) for processing first data (FD) derived from the data (X) and a combination operation (C) for combining the processed first data (FD ') with second data (SD) also derived from the data (X) in order to form third data (TD), and in which the first data (FD) each have a first aid value (A) are combined. Method according to claim 8, wherein the processed first data (FD ') are each combined with a second auxiliary value (B). The method of claims 8 and 9, wherein the second auxiliary value 35 (B) of a stage is formed from the combination of the first auxiliary value (A) of the previous stage and the first auxiliary value (A) of the next stage. The method of claim 8 or 10, wherein the first auxiliary value The method of any one of claims 8-11, wherein all first auxiliary values (A) are equal. A method according to any one of claims 9-12, wherein the first auxiliary values (A) and / or second auxiliary values (B) are each previously combined with the respective operation (F). 14. Method as claimed in any of the claims 8-13, wherein the combining is carried out by means of an exclusive-or-operation. A method according to any preceding claim, wherein the data (X) comprises identification data of a payment means (1) and the processed data (Y) forms a diversified key. 16. Method according to any of the preceding claims, wherein the process comprises (P) DES, preferably triple DES. Circuit (10) for performing the method according to any of the preceding claims. Payment card (1), provided with a circuit (10) according to claim 17. 19. Payment terminal (2), provided with a circuit according to claim 17. 1 0 "\ Cl" 2 1